Qhost - Falso Mensaje Privado de Facebook - Rutina Rijndael
Les traigo el siguiente troyano que utiliza Rijndeal para la codificación de datos (ver caso).
En este momento esta realizando Local Pharming a entidades Bancarias del Perú
Falso Email:
Icono de la Amenaza.
Análisis en V.T., con un indice muy bajo de detecciones.
Analizando el troyano encuentro que utiliza el mismo método de ofuscación de strings.
ver caso: http://oberheimdmx.blogspot.com.ar/2012/03/qhost-iv-falso-video-de-facebook.html
Datos codificados:
loc_402480: ldstr "Ft8CZnVefFiLkH63uHL3mBB4vs+1MqAJFaYYY3O2+xI="
loc_402488: ldstr "6A7XaALGTyZg/jU3WXJSE7aQ4bsmjYwyVvvzPI4Wy6q6t5IhiPq7ZiDUcgPcqUAM"
loc_402490: ldstr "Ft8CZnVefFiLkH63uHL3mE2QM7qO0gwH487u2zHb7rH/ctFXg7G4kTmbil9StkgM"
loc_402498: ldstr "Ft8CZnVefFiLkH63uHL3mMfv4L2QhCDHyUgFyFbABSw="
loc_4024A0: ldstr "LNDRQHqUqBQZke9qnfqj7SLJG6XvMLS1J2Uu7Wsm+dFkSe9Hz552tY81UhnjMc4v"
loc_4024A8: ldstr "6A7XaALGTyZg/jU3WXJSE7aQ4bsmjYwyVvvzPI4Wy6oIE7HCNCdGoq/gSiKKNZ9B"
loc_4024BE: ldstr "tUF0d5UwHTQJWHPC037GjZcxI+60eZA+/iK9UhE7WKO3untwL9hHMZ9msD/ix0CV"
loc_4024C6: ldstr "tUF0d5UwHTQJWHPC037GjZcxI+60eZA+/iK9UhE7WKO3untwL9hHMZ9msD/ix0CV"
loc_4024CE: ldstr "tUF0d5UwHTQJWHPC037GjZcxI+60eZA+/iK9UhE7WKO3untwL9hHMZ9msD/ix0CV"
loc_4024D6: ldstr "gu/hLx2k37LbJFrYE4FJWc68NdUBB26vgdPt2/bB3032LlEXXgyHBiP/BLzjkBy+"
loc_4024F4: ldstr "CPNd1iLAC8rnx8dwxJTDQv8Yyj2ib7DH5N6+E7xY53dX/7+XIa8VQv6KHgFsErZI04kEOz5bajuG3uQz1nU6Pg=="
loc_4024FC: ldstr "c4DAub0e1G54ZOZjPGWbgg=="
loc_402504: ldstr "6ySHYvET4UiEuXSXfOPFpIKrhCJ2aR0mblI2wSdQssI="
loc_40250C: ldstr "vl5QwlkWx0Ht7RmnWUWlvx3C6XO0SqB6odDAGIXQ73Q="
loc_402522: ldstr "RD89hEp37/leK/mlmLS7sf/uSJL3z5qo2/LyiPY2B0pXhG0TTVJ5zdROBX52KKv1"
loc_40252A: ldstr "3KV9m+7X1WQ93O4l5UZ4c+8sx2bwLP+7WIDBoayseAw="
Parte de la rutina de Crypografia Rijndael
Object: Defenza.cryptografia
Code: FatFormat
Start: 402AFC
Size: 227
Flag: MoreSects InitLocals
Max Stack: 5
Local Variables: 11000008
loc_402AFC: nop
loc_402AFD: ldstr "Pas5pr@se"
loc_402B02: stloc.0
loc_402B03: ldstr "s@1tValue"
loc_402B08: stloc.1
loc_402B09: ldstr "SHA1"
loc_402B0E: stloc.2
loc_402B0F: ldc.i4.2
loc_402B10: stloc.3
loc_402B11: ldstr "@1B2c3D4e5F6g7H8"
loc_402B16: stloc.s 4
loc_402B18: ldc.i4 256
loc_402B1D: stloc.s 5
loc_402B1F: ldnull
loc_402B20: stloc.s 6
loc_402B22: nop
loc_402B23: call get_ASCII
loc_402B28: ldloc.s 4
loc_402B2A: callvirt GetBytes
loc_402B2F: stloc.s 7
loc_402B31: call get_ASCII
Plaintext : Ft8CZnVefFiLkH63uHL3mBB4vs+1MqAJFaYYY3O2+xI=
Decrypted : C:\\Mis Documentos
Plaintext : 6A7XaALGTyZg/jU3WXJSE7aQ4bsmjYwyVvvzPI4Wy6q6t5IhiPq7ZiDUcgPcqUAM
Decrypted : C:\\Windows\\System32\\drivers\\etc\\hosts
Plaintext : Ft8CZnVefFiLkH63uHL3mE2QM7qO0gwH487u2zHb7rH/ctFXg7G4kTmbil9StkgM
Decrypted : C:\\Mis Documentos\\Documento1.docx
Plaintext : Ft8CZnVefFiLkH63uHL3mMfv4L2QhCDHyUgFyFbABSw=
Decrypted : C:\\Mis Documentos\\calc1.xlsx
Plaintext : LNDRQHqUqBQZke9qnfqj7SLJG6XvMLS1J2Uu7Wsm+dFkSe9Hz552tY81UhnjMc4v
Decrypted : C:\Windows\System32\drivers\csrss.exe
Plaintext : 6A7XaALGTyZg/jU3WXJSE7aQ4bsmjYwyVvvzPI4Wy6oIE7HCNCdGoq/gSiKKNZ9B
Decrypted : C:\\Windows\\System32\\drivers\\
Plaintext : tUF0d5UwHTQJWHPC037GjZcxI+60eZA+/iK9UhE7WKO3untwL9hHMZ9msD/ix0CV
Decrypted : http://www.unisportonline.co.uk/robots.txt
Plaintext : tUF0d5UwHTQJWHPC037GjZcxI+60eZA+/iK9UhE7WKO3untwL9hHMZ9msD/ix0CV
Decrypted : http://www.unisportonline.co.uk/robots.txt
Plaintext : tUF0d5UwHTQJWHPC037GjZcxI+60eZA+/iK9UhE7WKO3untwL9hHMZ9msD/ix0CV
Decrypted : http://www.unisportonline.co.uk/robots.txt
Plaintext : gu/hLx2k37LbJFrYE4FJWc68NdUBB26vgdPt2/bB3032LlEXXgyHBiP/BLzjkBy+
Decrypted : http://www.getsignbase.com/app/readme.txt
Plaintext : CPNd1iLAC8rnx8dwxJTDQv8Yyj2ib7DH5N6+E7xY53dX/7+XIa8VQv6KHgFsErZI04kEOz5bajuG3uQz1nU6Pg==
Decrypted : Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System
Plaintext : c4DAub0e1G54ZOZjPGWbgg==
Decrypted : EnableLUA
Plaintext : 6ySHYvET4UiEuXSXfOPFpIKrhCJ2aR0mblI2wSdQssI=
Decrypted : ConsentPromptBehaviorAdmin
Plaintext : vl5QwlkWx0Ht7RmnWUWlvx3C6XO0SqB6odDAGIXQ73Q=
Decrypted : PromptOnSecureDesktop
Plaintext : RD89hEp37/leK/mlmLS7sf/uSJL3z5qo2/LyiPY2B0pXhG0TTVJ5zdROBX52KKv1
Decrypted : SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Plaintext : 3KV9m+7X1WQ93O4l5UZ4c+8sx2bwLP+7WIDBoayseAw=
Decrypted : Windows defender
Pharming Local http://www.unisportonline.co.uk/robots.txt
muestra : http://www.mediafire.com/?wd6kfkua544d6o9
Pass = infected
PD: Para los que me solocitaron el fuente del desencriptor, les dejo el código mas abajo, este código no es mio, para mas datos pueden visitar la web del autor
http://www.obviex.com/Resources/Articles.aspx .
// SAMPLE: Symmetric key encryption and decryption using Rijndael algorithm.
// To run this sample, create a new Visual C# project using the Console
// Application template and replace the contents of the Class1.cs file with
// the code below.
// Copyright (C) 2002 Obviex(TM). All rights reserved.
using System;
using System.IO;
using System.Text;
using System.Security.Cryptography;
/// This class uses a symmetric key algorithm (Rijndael/AES) to encrypt and
/// decrypt data. As long as encryption and decryption routines use the same
/// parameters to generate the keys, the keys are guaranteed to be the same.
/// The class uses static functions with duplicate code to make it easier to
/// demonstrate encryption and decryption logic. In a real-life application,
/// this may not be the most efficient way of handling encryption, so - as
/// soon as you feel comfortable with it - you may want to redesign this class.
public class RijndaelSimple
/// Encrypts specified plaintext using Rijndael symmetric key algorithm
/// and returns a base64-encoded result.
/// Plaintext value to be encrypted.
/// Passphrase from which a pseudo-random password will be derived. The
/// derived password will be used to generate the encryption key.
/// Passphrase can be any string. In this example we assume that this
/// passphrase is an ASCII string.
/// Salt value used along with passphrase to generate password. Salt can
/// be any string. In this example we assume that salt is an ASCII string.
/// Hash algorithm used to generate password. Allowed values are: "MD5" and
/// "SHA1". SHA1 hashes are a bit slower, but more secure than MD5 hashes.
/// Number of iterations used to generate password. One or two iterations
/// should be enough.
/// Initialization vector (or IV). This value is required to encrypt the
/// first block of plaintext data. For RijndaelManaged class IV must be
/// exactly 16 ASCII characters long.
/// Size of encryption key in bits. Allowed values are: 128, 192, and 256.
/// Longer keys are more secure than shorter keys.
/// Encrypted value formatted as a base64-encoded string.
public static string Encrypt(string plainText,
string passPhrase,
string saltValue,
string hashAlgorithm,
int passwordIterations,
string initVector,
int keySize)
// Convert strings into byte arrays.
// Let us assume that strings only contain ASCII codes.
// If strings include Unicode characters, use Unicode, UTF7, or UTF8
// encoding.
byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
byte[] saltValueBytes = Encoding.ASCII.GetBytes(saltValue);
// Convert our plaintext into a byte array.
// Let us assume that plaintext contains UTF8-encoded characters.
byte[] plainTextBytes = Encoding.UTF8.GetBytes(plainText);
// First, we must create a password, from which the key will be derived.
// This password will be generated from the specified passphrase and
// salt value. The password will be created using the specified hash
// algorithm. Password creation can be done in several iterations.
PasswordDeriveBytes password = new PasswordDeriveBytes(
// Use the password to generate pseudo-random bytes for the encryption
// key. Specify the size of the key in bytes (instead of bits).
byte[] keyBytes = password.GetBytes(keySize / 8);
// Create uninitialized Rijndael encryption object.
RijndaelManaged symmetricKey = new RijndaelManaged();
// It is reasonable to set encryption mode to Cipher Block Chaining
// (CBC). Use default options for other symmetric key parameters.
symmetricKey.Mode = CipherMode.CBC;
// Generate encryptor from the existing key bytes and initialization
// vector. Key size will be defined based on the number of the key
// bytes.
ICryptoTransform encryptor = symmetricKey.CreateEncryptor(
// Define memory stream which will be used to hold encrypted data.
MemoryStream memoryStream = new MemoryStream();
// Define cryptographic stream (always use Write mode for encryption).
CryptoStream cryptoStream = new CryptoStream(memoryStream,
// Start encrypting.
cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length);
// Finish encrypting.
// Convert our encrypted data from a memory stream into a byte array.
byte[] cipherTextBytes = memoryStream.ToArray();
// Close both streams.
// Convert encrypted data into a base64-encoded string.
string cipherText = Convert.ToBase64String(cipherTextBytes);
// Return encrypted string.
return cipherText;
/// Decrypts specified ciphertext using Rijndael symmetric key algorithm.
/// Base64-formatted ciphertext value.
/// Passphrase from which a pseudo-random password will be derived. The
/// derived password will be used to generate the encryption key.
/// Passphrase can be any string. In this example we assume that this
/// passphrase is an ASCII string.
/// Salt value used along with passphrase to generate password. Salt can
/// be any string. In this example we assume that salt is an ASCII string.
/// Hash algorithm used to generate password. Allowed values are: "MD5" and
/// "SHA1". SHA1 hashes are a bit slower, but more secure than MD5 hashes.
/// Number of iterations used to generate password. One or two iterations
/// should be enough.
/// Initialization vector (or IV). This value is required to encrypt the
/// first block of plaintext data. For RijndaelManaged class IV must be
/// exactly 16 ASCII characters long.
/// Size of encryption key in bits. Allowed values are: 128, 192, and 256.
/// Longer keys are more secure than shorter keys.
/// Decrypted string value.
/// Most of the logic in this function is similar to the Encrypt
/// logic. In order for decryption to work, all parameters of this function
/// - except cipherText value - must match the corresponding parameters of
/// the Encrypt function which was called to generate the
/// ciphertext.
public static string Decrypt(string cipherText,
string passPhrase,
string saltValue,
string hashAlgorithm,
int passwordIterations,
string initVector,
int keySize)
// Convert strings defining encryption key characteristics into byte
// arrays. Let us assume that strings only contain ASCII codes.
// If strings include Unicode characters, use Unicode, UTF7, or UTF8
// encoding.
byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
byte[] saltValueBytes = Encoding.ASCII.GetBytes(saltValue);
// Convert our ciphertext into a byte array.
byte[] cipherTextBytes = Convert.FromBase64String(cipherText);
// First, we must create a password, from which the key will be
// derived. This password will be generated from the specified
// passphrase and salt value. The password will be created using
// the specified hash algorithm. Password creation can be done in
// several iterations.
PasswordDeriveBytes password = new PasswordDeriveBytes(
// Use the password to generate pseudo-random bytes for the encryption
// key. Specify the size of the key in bytes (instead of bits).
byte[] keyBytes = password.GetBytes(keySize / 8);
// Create uninitialized Rijndael encryption object.
RijndaelManaged symmetricKey = new RijndaelManaged();
// It is reasonable to set encryption mode to Cipher Block Chaining
// (CBC). Use default options for other symmetric key parameters.
symmetricKey.Mode = CipherMode.CBC;
// Generate decryptor from the existing key bytes and initialization
// vector. Key size will be defined based on the number of the key
// bytes.
ICryptoTransform decryptor = symmetricKey.CreateDecryptor(
// Define memory stream which will be used to hold encrypted data.
MemoryStream memoryStream = new MemoryStream(cipherTextBytes);
// Define cryptographic stream (always use Read mode for encryption).
CryptoStream cryptoStream = new CryptoStream(memoryStream,
// Since at this point we don't know what the size of decrypted data
// will be, allocate the buffer long enough to hold ciphertext;
// plaintext is never longer than ciphertext.
byte[] plainTextBytes = new byte[cipherTextBytes.Length];
// Start decrypting.
int decryptedByteCount = cryptoStream.Read(plainTextBytes,
// Close both streams.
// Convert decrypted data into a string.
// Let us assume that the original plaintext string was UTF8-encoded.
string plainText = Encoding.UTF8.GetString(plainTextBytes,
// Return decrypted string.
return plainText;
/// Illustrates the use of RijndaelSimple class to encrypt and decrypt data.
public class RijndaelSimpleTest
/// The main entry point for the application.
static void Main(string[] args)
string plainText = "Hello, World!"; // original plaintext
string passPhrase = "Pas5pr@se"; // can be any string
string saltValue = "s@1tValue"; // can be any string
string hashAlgorithm = "SHA1"; // can be "MD5"
int passwordIterations = 2; // can be any number
string initVector = "@1B2c3D4e5F6g7H8"; // must be 16 bytes
int keySize = 256; // can be 192 or 128
Console.WriteLine(String.Format("Plaintext : {0}", plainText));
string cipherText = RijndaelSimple.Encrypt(plainText,
Console.WriteLine(String.Format("Encrypted : {0}", cipherText));
plainText = RijndaelSimple.Decrypt(cipherText,
Console.WriteLine(String.Format("Decrypted : {0}", plainText));
Es todo por el momento
@Dkavalanche 2012